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FEDERATION OF EUROPEAN DIRECT AND INTERACTIVE MARKETING 


EUROPEAN CODE OF PRACTICE 
FOR THE USE OF PERSONAL DATA 
IN DIRECT MARKETING 
ELECTRONIC COMMUNICATIONS ANNEX 


This Annex is designed primarily as an instrument of best practices, and it is intended for use as a 
reference document within the framework of applicable laws’. 


Direct and interactive marketers should operate to the standards laid down in the FEDMA Code 
and its Annex, subject always to their obligation to comply with their relevant national laws or 
self-regulatory provisions. 


Neither the FEDMA Code nor this Annex are intended to reduce or replace the applicability of 
national laws and regulations. 


The provisions in the Annex, concerning On-line marketing, are to be seen as complementary to 
those set up in the FEDMA Code. 


All provisions of this code apply without prejudice to the provisions of the applicable 
national legislation. Where specific requirements exist at national level, these will have to be 
complied with, in accordance with the applicable law rules set out in this Code and in 
accordance with EU legislation. 


Brussels, June 2010 


' Suchas the e-Privacy Directive (2002/58/EC; currently under review) and the Data Protection 


Directive (95/46/EC) 


DEFINITIONS 


Commercial Communications — Any form of communication designed to promote, directly or 
indirectly, the goods, services, image of a company, organization or person pursuing a 
commercial, industrial or craft activity or exercising a regulated profession. 


Unsolicited Commercial Communications — Any communication sent to customers with whom 
the marketer does not have an ongoing commercial or contractual relationship or where such a 
communication is otherwise uninvited. 


On-line marketing - A component of electronic commerce and refers to the use of the Internet to 
advertise and sell goods and services. Direct Marketing in the On-line environment refers to one- 
to-one marketing activities where individuals are targeted.” Blog marketing is covered in those 
instances where personal data is used or processed. 


Electronic Mail — Any text, voice, sound or image message sent over a public communications 
network which can be stored in the network or in the terminal equipment of the recipient of the 
message until it is collected by the recipient.* 


Processing of Personal Data — Any operation or set of operations which is performed upon 
personal data, whether or not by automatic means, such as collection, recording, organization, 
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, 
dissemination or otherwise making available, alignment or combination, blocking, erasure or 
destruction.* 


Database or List — Means of holding personal information for direct marketing purposes and 
normally accessed by reference to names and addresses and held in the form of paper or 
electronic list. 


Consent — Any freely-given, specific and informed indication of the data subject’s wishes by 
which he signifies his agreement to the processing of personal data relating to him. 


Marketer - includes sole traders, partnerships or corporate bodies acting on a professional basis 
that either send or commission the sending of an electronic mail message through a 
communications network.” 


Automatic Harvesting — the automatic extraction of Personal Data from websites, chat rooms 
and similar sources. 


Direct Marketing addresses individual consumers (or companies) rather than a group of individuals 
selected because of a certain behavioural trait. 

The provisions of this annex do not apply to messages sent by fax or voice telephony, as these are 
covered by the provisions of the General Code on the Use of Personal Data in Direct Marketing 
(2003), while SMS, MMS, voicemail and other forms of electronic communications are part of the 
definition of electronic mail because they can be stored in the network or terminal equipment. 

* Directive 95/46/EC, Article 2 b) 

This excludes individuals, such as a private person selling products on eBay 


1. LAW APPLICABLE 


For the law applicable to On-line Marketers and Controllers please consult the FEDMA European 
Code of Practice for the Use of Personal Data in Direct Marketing (point 1). 


2. OBTAINING PERSONAL DATA DIRECTLY FROM THE DATA SUBJECT 


2.1 General principles for fair processing of Data 


Controllers must collect and process Personal Data from Data Subjects in a fair and transparent 
manner and in conformity with the provisions of the FEDMA European Code of Practice for the 
Use of Personal Data, as well as current applicable EU and national legislations. 


Controllers must ensure that Data Subjects are clearly and distinctly informed of: 

a) the identity of the Controller including valid electronic contact 
details, and at least another means for rapid, direct and 
effective communication 

b) the purpose(s) of the processing (e.g. transactional or 
promotional purposes, or, in the case that the data subject is 
not aware (for example, because he/she is not a customer), the 
categories of products for which electronic marketing 
messages may be sent); 

c) their right to access data related to them and to correct 
erroneous data; 

d) the purpose of disclosure to or use on behalf of specified third 
parties or categories of third parties; 


Furthermore, the Data controller should: 

e) offer the Data Subject at the time of the collection of the 
personal data the right to object free of charge’, at least via the 
same channel and in an easy manner to the processing of their 
Personal Data for Direct Marketing purposes; 

f) as soon as is practicable inform the Data Subjects in case of 
material changes to points a) to d) above, and seek their 
renewed consent if the data subject’s data are to be used for a 
different purpose; and 

g) Validate the data subject’s data periodically, e.g. taking into 
account the fact that email addresses become obsolete quicker 
than physical addresses ; this can be done as part of a 
commercial message. 


“free of charge” refers throughout to the right of the Data Subject to unsubscribe without being 
charged a fee or being directed to a premium rate telephone line by the advertiser/the data controller 
(please see Section 2.7 for detailed information) 


This essential information should be given at the time of the collection, unless it is completely 
clear from the context (for example, as regards the identity of the Controller, if the name of the 
company is clearly shown on the website and the purpose if it is clear from the form used), or the 
Data Subject already has the information (for example, the Data Subject has already received the 
information as part of a contract or in the course of an ongoing relationship with the Controller). 


2.2 Collection of Personal Data from Consumers 


2.2.1 


2.2.2 


Use of electronic mail Data for Marketing 


In order to send marketing messages to consumers via electronic mail, the Controller 
must collect the data subject’s prior consent. 


Data controllers should remember that consent to receive marketing messages may be 
invalid if the recipient was not adequately informed. 


In the Context of a Sale 


In the case where electronic mail contact details (email address, SMS details, etc.) have 
been collected in the context of a sale of a product (good or service), the Data Subject 
does not need to “opt in” to that data being used subsequently for Direct Marketing, 
provided all the following conditions are met: 


a) the Controller collected the electronic mail contact details in the context of a sale of 
a product (good or service), 

b) the Controller offers an effective unsubscribe facility, at least via the same channel, 
to unsubscribe from receiving electronic marketing messages free of charge and in an 
easy manner at the time of data collection and in all subsequent marketing 
communications sent’, 

c) any electronic marketing communications only relate to products similar to those 
considered in the context of the sale and provided by the Controller, 

d) the identity of the marketer on whose behalf the electronic marketing communication 
is sent is not disguised, 

e) the commercial purpose of the communication is clearly identifiable at the beginning 
of the message (see point 2.5 of this code) 


In order legitimately to send information about "similar products", the controller must 
bear in mind that the boundaries between products are set by the reasonable expectations 
of the customer (data subject) and not the reasonable expectations of the sending 
controller/seller. Accordingly, the data subject (consumer) must be informed in advance, 
at the time of the collection of his/her personal data, of the meaning of "similar goods and 
services" for the controller(sender) 


The seller/controller must be the same company, not subsidiaries or mother companies. 


please see section 2.7 for further details 


2.3 Specific situations 
2.3.1 Information to be provided in the case of use by the Controller itself 


In the case where the data are intended to be used by the Controller on its own account 
and for its own on-line marketing use, the Controller must ensure that the Data Subject is 
aware of the essential information, and of his/her right to opt-out from such use. 


This information must be made known to the Data Subject in a clear, visible and 
accessible manner before or during the data collection process. In cases where it is 
difficult or impossible to provide this information to the Data Subject due to 
technological constraints of the channel the Data Subject is using to communicate with 
the Controller, for example in mobile marketing where text messages are limited to 160 
characters, the Data Subject may be provided with a short notice and a website address or 
another source where he/she may access all the essential information. 


Where permitted by national legislation, this essential information can be given after the 
data collection. 


It is equally important that the right of the Data Subject to object to the use of electronic 
contact details for Direct Marketing purposes is easily accessible on the website; is 
offered in an explicit and unambiguous way; is offered at least via the same channel; and 
that the Data Subject can easily exercise this right. 


Personal Data of Data Subjects cannot be used for the purposes of Direct Marketing via 
electronic communications without the prior consent of the Data Subject except in the 
cases mentioned in point 2.2. 


2.3.2 Information in the case of disclosure of Data Subjects’ Personal Data to Third Parties 


This point does not apply where the Personal Data is passed on to Data Processors who 
only act under the instructions and on behalf of the Controller. 


A Controller that lawfully obtains electronic mail contact details from another Controller 
or Third Party needs to ensure that the originating Controller has lawfully collected the 
data before using that data to direct market by electronic mail. 


Where Personal Data are collected with the intention to be communicated to Third Parties 
for Direct Marketing via electronic mail, Controllers must ensure that Data Subjects are 
informed of: 


a) any recipients or categories of recipients of the data and the purposes for which the 
data will be disclosed prior to the Data Subject giving his/her consent; 

b) their right to withdraw their consent to disclosure of the data for Direct Marketing 
purposes at any time, free of charge and in an easy manner; 

c) the commercial communication is clearly identifiable as such at the beginning of the 
message (see point 2.5 of this code). 


Please see section 2.7 for further details 


This information must be made known to the Data Subject in a clear, visible and 
accessible manner before or during the data collection process. In cases where it is 
difficult or impossible to provide this information to the Data Subject due to 
technological constraints of the channel the Data Subject is using to communicate with 
the Controller, for example in mobile marketing where text messages are limited to 160 
characters, the Data Subject may be provided with a short notice and a website address or 
another source where he/she may access this information. 


Where permitted by national legislation, this essential information can be given after the 
data collection. This information must be given before any such communication to Third 
Parties takes place. 


2.3.3 Information in the case of use of on-line questionnaires and other forms 


Controllers must ensure that Data Subjects are informed of whether the replies to 
questions are obligatory or voluntary, and the possible consequences of a failure to reply 
to obligatory questions (for example, including but not limited to, not receiving a 
gift/voucher/special offer/reward). The Controller should also ensure that no unnecessary 
questions are asked. 


This information should be given at the time of data collection. 


2.4 Collection of Personal Data of Legal Persons related to business products or services 


Persons clearly linked to their organization or company can be contacted for Direct Marketing 
purposes for business-related products or services through electronic mail without their prior 
consent but only in the context of the position they hold in either the public or private sector — 
and without prejudice to an opt-in regime applicable under national laws. Such an electronic mail 
must contain in any case an unsubscribe facility by which the Data Subject can object to receiving 
future unsolicited commercial communications via the medium used or another medium. 


The webpage on which the collection takes place should clearly state the Data Subject’s right to 
object to every future commercial use of his/her Personal data for Direct Marketing both by the 
data collector as well as its intermediaries and inform the subject how to object to processing of 
electronic contact details. 


2.5 Identification in the context of commercial Electronic Mail 
All Commercial Communications sent via electronic mail regardless of the recipient of the 


message should contain the identity of the marketer on whose behalf the communication is made 
and must be clearly identifiable as a commercial message at the beginning of the message. 


Data controllers should remember that consent to receive this type of marketing message may be 
invalid if the recipient was not adequately informed. 


2.7 Unsubscribe facility 


All electronic commercial communications should offer the recipients of the messages a simple, 
effective, free of charge, direct and easily accessible method of unsubscribing from receiving 
further such messages including, but not limited to the use of electronic mail. The recipient of the 
message should be able to unsubscribe from receiving further such messages without having to 
state a reason. The marketer should react upon the recipient’s request within a reasonable time 
and mark the data as blocked. 


Unsubscribing should be free of charge and wherever possible offered via the same 
communication channel’. “Effective” means that: 


a) the unsubscribe request is processed promptly; 


b) any request to unsubscribe should be taken into account in future campaigns, so that the 
data subject should not receive any further unsolicited commercial electronic mail 
communications. 


If there is a communication cost involved, it should be limited to the standard price for use of a 
communications channel'®. Marketers should be encouraged to use a toll-free phone number or a 
free post box. The unsubscribe facility may not make use of premium rate telephone lines. 


3. OBTAINING PERSONAL DATA FROM OTHER SOURCES THAN THE DATA 
SUBJECT 


3.1 Requirement to provide Information 


Where Controllers do not collect Personal Data for Direct Marketing purposes from the Data 
Subjects themselves (e.g. they receive the data via rented-in lists, or data collected from Third 
Party questionnaires), they are obliged to take such steps as necessary to ensure that the lists are 
in accordance with applicable requirements and that in accordance with those requirements Data 
Subjects have given their consent to the use of their electronic mail contact details and are 
provided with the information (point 2.1) they would have received if they had provided the 
Personal Data directly to the Controller. 


These electronic mail contact details may only be used for contacting the third party for direct 
marketing purposes by Third Parties after obtaining the Data Subject’s freely given, specific and 
informed consent. In the case of marketing via other channels (post, fax, voice telephone) the 
FEDMA code or national law should stipulate whether consent is required. 


Controllers should provide the information referred to in point 2.1, including available 
information on the source of the personal data unless the data subject already has this 
information: 

a) at the time of undertaking the recording (i.e. processing) of the data, 


? The unsubscribe facility will normally be offered online (e.g. by e-mail or a link on a website) due to 


the fact that this annex covers electronic communications. 


10 such as a local phone call, an SMS or standard letter postage 


b) or where a disclosure to a Third Party is envisaged no later than the time of 
disclosure, unless the Data Subject had already been informed. 


Data subjects should be provided with effective means to exercise their right to object to the use 
and disclosure of their personal data, at least via the same channel, free of charge and without 
having to state their reason to object. 


3.2 Member-get-member Campaigns 


3.2.1 General Principles for Member-get-Member Campaigns 


Note: This section is without prejudice to specific legislation in those Member States, where 
member-get-member campaigns are governed by concrete regulation. 


Regarding the use of electronic mail contact details collected by Controllers via Third Parties 
(e.g. via member-get-member campaigns and similar), the Controllers should respect the 
principles relating to the consent of the Data Subject and the applicable data protection 
requirements. 


It should be clarified that member-get-member campaigns, viral campaigns, “word-of-mouth” 
campaigns, “mail this article to a friend” mechanisms, etc, cannot be used to obtain the consent of 
a Data Subject through a third party (i.e. the friend who is forwarding the message/article) for the 
further sending of electronic commercial communications to the Data Subject by the Controller. 


The following principles should apply to member-get-member campaigns and commercial 
messages sent on the initiative of a “friend” through the mail facilities of the Controller: 


a) The identity of the sender must be obvious to the recipient; 

b) The sender must see the full message, that is about to be sent in his name, before it is sent; 

c) The email address of the recipient may not be used by the marketer for any other marketing 
purpose but the one-time transmission of the message". 

3.2.2 Using Rewards and Incentives in Member-get-Member Campaigns 


Note: In a few Member States rewarding customers for providing data is restricted or forbidden. 
You should verify that your campaign is in conformity with the national law. 


Where incentives/rewards for “Viral Marketing” are permitted by national law, the following 
principles should be applied: 


a) You should ask your customer to confirm that they have the consent of the individuals 
whose details they are passing on; 


b) You should check that the recipient hasn’t already asked you to suppress their details; 


In those countries where member-get-member campaigns are permitted by national law, the data may 
need to be kept for a period of no longer than three months after the end of the campaign exclusively 
to deal with any complaints from recipients. 


c) You should tell your customer that you propose to let those individuals know how you 
got their details; 


You are reminded that it is the instigator of the message who is liable for the sending of that 
message. 


3.3 Host Mailings 


The Controller for a Host Mailing service must be clearly identifiable. A host mailing service is 
where the advertiser is willing, for a fee, to send (or to instigate the sending through the 
marketer’s normal outsourcing arrangements under a data processing agreement), on behalf of 
Third Parties, email marketing promoting the third party's goods and services to the marketer 's 
own email database. 


Marketers should note that they must obtain the freely given, specific and informed consent (i.e. 
opt-in) of individuals in accordance with point 2 and therefore they cannot rely on the provisions 
of point 2.3.1 for any such host mailing activities to Subjects. Selective criteria which has a 
detrimental effect on the rights of the Data Subject — for example, the use of sensitive data linked 
to a sales pattern (past purchases of a pharmaceutical product) should not be used without the 
freely given, specific and informed consent. 


4. PREFERENCE SERVICE SYSTEMS 


For information on Preference Service Systems and In-House Suppression Lists, please consult 
the FEDMA European Code of Practice for the Use of Personal Data in Direct Marketing (point 
5). 


Data controllers who are sending out unsolicited commercial communications should consult 
relevant national e-mail preference services if they are sending e-mails to individuals whose usual 
residential address is located outside EU/EEA member states. 


5. PRIVACY POLICY & USE OF COOKIES 


5.1 Privacy Policy 


If Personal Data are being collected on-line, the privacy policy should be easily accessible or 
available via a link from every e-mail delivered. If collected off-line, the privacy policy should be 
set out, as a matter of best practice, in full and attached to the material used to collect the data. 


5.2 Use of Cookies 


Controllers and Data Processors should include clear and comprehensive information in their 
privacy policy about any cookie, clear gif or similar device within the e-mail, including the 
purpose of any storage of and access to any information stored on the terminal equipment of the 
recipient of the message, and an opportunity for the recipient of the message to refuse its 
deployment, as well as the consequences off refusing to accept such deployment. 


5.3 Reference to the FEDMA Code of Conduct 


Controllers and Data Processors should make express reference to this Code of Conduct where 
appropriate in domestic, intra-Community and non-EU contracts related to the sending of on-line 
marketing mail messages. 


6. PROTECTION OF CHILDREN 


The data controller is responsible for setting up the procedure that guarantees that the age of the 
minor and the authenticity of the consent given by the parents, guardians or legal representatives 
has been effectively checked, using reasonable efforts, bearing in mind that there is no easily 
accessible, universally accepted age verification system available on the internet. 


1. Inthe case that the data subjects are children and have not yet reached the age to legally 
give their consent (according to national law), or have been placed under legal restraint or 
the care of a mentor, the consent of their legal representative is required, where consent is 
needed for processing. 


2. The data subjects or their legal representative may withdraw consent at any time. 


3. Under no circumstances may data be collected from the child regarding information 
about any other member of the family unit, or another person, such as data relating to the 
professional activity of the parents, financial information, sociological or other such data, 
without the consent of the persons to whom such data refer. Notwithstanding this, data 
regarding the identity and address of the legal representative may be collected for the sole 
purpose of obtaining the authorisation as set out above. 


When informing children about the processing of their data, this information shall be 
expressed in easily understandable language. 


4. Without the prior consent of the legal representative, it is unlawful to invite children to 
provide sensitive data, revealing the racial or ethnic origin, political opinions, religious or 
philosophical beliefs, trade-union membership, or the processing of data concerning 
health or sex life of the child or financial situation about themselves, or any third party, 
such as their parents or friends. 


5. It is unlawful to incentivise children to provide for marketing purposes their own 
personal data or personal data of a third party in exchange for a material or virtual 
reward. This includes invitations to provide personal data in order to be able to 
participate in a game of chance, tombola or lottery. 
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7. FORBIDDEN PRACTICES 


7.1 Automatic Collection of Data 


The harvesting of personal data must always be transparent and obvious to the Data Subject. For 
that reason, practices such as Automatic Harvesting, social engineering to try to obtain personal 
data, or dictionary attacks to attempt to guess email addresses by adding frequently used names to 
known domain names, are forbidden by the Data Protection Directive. 


7.2 Spyware 


Marketers should not install, have installed, or use, software or other similar technology on a 
computer or similar device that initiates deceptive practices or interferes with a user’s expectation 
of the functionality of the computer and its programmes’”. Such practices include, but are not 
limited to, software or other similar technology that: 


e Takes control of a computer (e.g., relaying spam and viruses, modem hijacking, denial of 
service attacks, or endless loop pop-up advertisements); 


e Deceptively modifies or deceptively disables security or browser settings, or 
e Prevents the user’s efforts to disable or uninstall the software or other similar technology 
Anyone that offers software or other similar technology that is installed on a computer or similar 
device for marketing purposes should: 
e Give the computer user clear and conspicuous notice and choice at the point of joining a 
service or before the software or other similar technology begins operating on the user’s 
computer, including notice of significant effects” of having the software or other similar 


technology installed; 


e Give the user an easy means to uninstall the software or other similar technology and/or 
disable all functionality; 


e Give an easily accessible link to a privacy policy, and 


e Give clear identification of the software or other similar technology’s name and company 
information, and the ability for the user to contact that company. 


12 
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Passive means of data collection (such as cookies, web beacons) are not governed by this guideline. 

Determination of whether there are significant effects includes, for example: 

- whether pop-up advertisements appear that are unexpected by the consumer; 

- whether there are any changes to the computer’s home page or tool bar; 

- whether there are any changes to settings in security software, such as a firewall, to permit the software 
to communicate with the marketer or the company deploying the software, or 

- whether there are any other operational results that would inhibit the user’s expected functionality. 
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ANNEX 
- Examples - 


1. Soft Opt-in 


a) Best Practice 


When using the soft opt-in, this would be acceptable on a website provided the details are 
collected in the context of a sale of similar products. 


Thank you for your interest in our holidays. We have lots of offers on similar travel products we 
would like to tell you about. Please click here if you do not want us to send you emails about 
these offers. 

In any case you”’ll remain free to object to every message sent to you. 


This is a clear statement that refers to that company’s own similar products/services and gives an 
easy (and free) way of opting out. 


b) Not Acceptable 


The following would not be acceptable if a company wished to pass details on to third parties as 
the soft opt-in cannot be used by other companies: 


Thank you for your interest in our products. We have lots of offers on similar products we would 
like to tell you about. Please click here if you do not want us to send you emails about these 
offers. We know other companies would like to tell you about travel insurance and we will pass 
your details to them unless you tell us you do not agree to this. 


The statement above would not allow the third party company to use this subscriber’s details for 
marketing purposes as the subscriber has not consented to their use for this purpose. 


2. Transfer to specified categories of third Parties 


a) Best Practice 


This would be a good way of finding out whether a subscriber consented to you passing details to 
other companies: 


We would like to pass your details to companies that offer travel-related goods or services who 
may be interested in telling you about travel insurance which will cover you on any holiday you 
book with us. Please tick the box if you agree to us doing this. 


Here, the company can only pass on the details of subscribers who have taken some action 


(ticking in the box) to let the company know that they consent to the disclosure. Subscribers who 
choose not to tick in the box will not have their details disclosed. 
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b) Not Acceptable 


i) 

This following example is not good practice. It is not sufficiently clear and may confuse people. 
It also does not give the subscriber any options but yes or no — the company tries to give the 
impression that the customer has to go to one of the stores to opt out. This would certainly not be 
acceptable if it were ‘hidden’ in a lengthy privacy policy or contract. 


We may use your contact details, transaction details and details provided to us by selected third 
parties in our customer marketing programme. On occasion, members of our corporate group 
may contact you by letter, email, telephone, text message or otherwise to inform you about 
products and services that may interest you. We try to limit the number of times we contact you 
to legally acceptable levels but if you wish to exercise your rights under the national law 
implementing the 1995 Data Protection Directive and the 2002 Privacy in Electronic 
Communications Directive , you should inform your local store or let us know by any means 
convenient to you. 


ii) 

This is another example of a confusing opt in/opt out statement — there are multiple options for 
different mediums and different types of contact and combines an opt in and opt out in the same 
policy. There is also very little information about the third parties to whom information may be 
passed. 


Data Protection 

Your details will be processed by XYZ Ltd in compliance with the national law implementing the 
1995 Data Protection Directive and the 2002 Privacy in Electronic Communications Directive. 
We may wish to contact you with information about our other products and services. Please tick 
a box if you prefer NOT to receive such information by any of the following: 


Post [] Email [] Phone [] SMS/Other [] 

We share data with other companies who wish to contact you with information about their 
products and services. Please tick if you prefer NOT to receive information by any of the 
following: 

Post [] Phone [] 

Please tick if you DO wish to receive such information by any of the following: 

Email [] SMS [] 

iii) It is unlawful to use pre-ticked boxes that the data subjects must click out in order to object to 


the transfer of their personal data and contact details to third parties for electronic 
communications and on line marketing. 
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3) Model Clause asking for the children’s consent: 


Here at [company name], we need your name and other details about you so that we can 
[purposes]. You can give us these details by filling out this form. Because you are under [x], we 
need to make sure that the people who look after you (like your parents or carer) are OK with us 
having information about you. 


Remember, either you or someone who looks after you can ask us to see the information we have 
about you at any time. You can also ask us to correct it if it’s wrong. You can also tell us to stop 
emailing you if you don’t want to hear from us anymore. 


If you want to email us about this (or anything else), use this email address (...@...). 


4) Model Clause to be used in the context of a contact form: 


In accordance with the [country] national legislation implementing the 1995 Data Protection 
Directive and the 2002 Privacy in Electronic Communications Directive, [data controller] 
informs you that the information registered will be processed for the sole purpose of managing 
your request. At any time you can exercise your rights of access, to rectify, to cancel or to object 
by sending an email to [email address], or in writing to [physical address]. 


5) Clause to be used in the context of a contact form, asking for the consent to send also 


commercial information: 


In accordance with the [country] national legislation implementing the 1995 Data Protection 
Directive and the 2002 Privacy in Electronic Communications Directive, [data controller] 
informs you that the information registered will be processed to manage your request. The 
contact details you have provided may also be used to send you commercial or promotional 
information related to our own products and services. At any time you can exercise your rights of 
access, to rectify, to cancel or to object by sending an email to [email address], or in writing to 
[physical address]. 

If you prefer not to receive such information, please tick this box: 


6) “Opt-in” example (FR): 


Fichier clients avec cession possible des e-mails des personnes 

Ces informations sont nécessaires a notre société pour traiter votre demande. 

Elles sont enregistrées dans notre fichier de clients et peuvent donner lieu à l’exercice du droit 
d’accés et de rectification auprès de notre service clientèle. 

Si vous souhaitez recevoir des propositions commerciales de nos partenaires par voie 
électronique, merci de cocher la case ci-contre 
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7) “Soft-opt-in” example (FR) : 


Réutilisation des adresses électroniques des clients pour leur proposer des biens ou des services 
analogues 

Vous êtes susceptibles de recevoir des offres commerciales de notre société pour des produits et 
services analogues à ceux que vous avez commandés. Si vous ne le souhaitez pas, cochez la case 
ci-contre 


8) Other Models“ 


"xxx [name of the company] recommande la collecte d’un consentement actif préalablement a 
l’utilisation des données pour toute communication électronique à caractère personnel". 


a) Exemples de mentions relatives a la collecte du consentement (d’autres formes peuvent 
étre acceptées) : 


i) Exemple 1 : 
J’accepte de recevoir des offres de xxxx [company] à des fins commerciales, par 
courrier électronique (ou e-mail) 


ii) Exemple 2 : 
J’indique ci-après mon adresse e-mail ; je recevrai donc des propositions de 
xxxxx à des fins commerciales : @ 


iii) Exemple 3 : Dans le cas de collecte a finalité de prospection par des partenaires de la société 
qui collecte 

J’accepte de recevoir des offres commerciales par courrier électronique des 
partenaires commerciaux de xxxxx [company] qui, dans ce cadre, pourront accéder aux 
informations qui me concernent. 


b) Exemples de mentions relatives au droit d’opposition (d’autres formes peuvent étre 
acceptées): 


i) Exemple 1 : 

Vous êtes susceptible de recevoir des offres commerciales de xxxxx[company]pour les produits et 
services analogues à ceux que vous avez commandés. Si vous ne le 

souhaitez pas, cliquez ici 


b) Exemple 2 : 

Vous recevez des offres commerciales de xxxx[company |parce que vous avez déjà passé 
commande de produits de mêmes catégories (des produits alimentaires, de 

loisirs etc.) à[company]. Si vous ne le souhaitez pas, cliquez ici  ». 


The CNIL has approved two codes of conduct in 2005 on electronic marketing submitted by two 
organisations representative of direct marketing in France. 
http://www.sncd.org/_uses/lib/3853/deontologie_e mailing_2005 03.pdf 
http://www.fevad.com/images/DocArticle/code_ufmd_prospection_emailing.pdf (pages 10 to 14) 
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